Educause Security Discussion mailing list archives
Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Brian Smith-Sweeney <bsmithsweeney () NYU EDU>
Date: Wed, 24 Jan 2007 18:15:50 -0500
Warren Petrofsky wrote:
We are seeing an alarming attack trend on the Penn campus. Please find below a summary and preliminary conclusions, followed by some details. I apologize in advance for the length of this report. We are very interested in receiving suggestions and comments from the group, as well as getting the warning out there, as we have yet to find any reports of this trend, though as a colleague pointed out, the ISC Storm Center does show a significant spike in both sources and targets for port 6000 between Dec. 11th and 14th 2006. Summary and Conclusion: We have seen a series of single user accounts compromised, with users using unique, complex (sometimes > 14char) passwords, that are only sent over encrypted channels. In most cases, these users were running an X-server application on their Windows machine, connecting to a linux or Solaris server, using ssh tunneling. Our current working assumption is that there is an active compromise being spread via vulnerable Xserver installations on port 6000. After privilege escalation is achieved, keyloggers are being installed on the system in general, or all transmissions to the xsession are being logged.
Hey Warren, We've seen the same thing recently and we're pretty sure this is a result of X11 sniffing. A number of folks have done good writeups on the subject, including: The ease of (ab)using X11: http://www.hackinglinuxexposed.com/articles/20040513.html http://www.hackinglinuxexposed.com/articles/20040608.html Other .EDUs guides (with much thanks to the respective authors): http://www.stanford.edu/group/security/securecomputing/x-window/index.html http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/#X11 http://www.biac.duke.edu/library/documentation/xwin32/Security.html Briefly, the attacker connects to an X server and - provided the X server has been improperly configured - they are able to grab a screen dump, keystrokes, and anything else in the X session. This is why you'll find keystroke logs on host1 for host2, host3, and host4; host1 is just connecting to the X server running on the others and watching what the user on those remote systems is doing. There may not be any malware installed on host2, host3, or host4 and they may not even show signs of compromise (if the attacker hasn't gotten around to logging into them). I don't think any modern *nix default installations are setup this way but I have seen several XWindows servers running on MS Windows that I could sniff. And the user can always open their systems up using xhost in its evil incarnation "xhost +". This is traditionally done to allow X applications to run from remote systems and display on your desktop; as you noted, a *much* better way to do this is to forward these connections via ssh. We've seen attackers use the compromised user's ssh known_hosts file to figure out where to try their credentials next. This creates an alarming pattern where an external attacker, seemingly without any brute-force attack, suddenly knows one or more credentials and knows exactly which systems to use them on. When a machine is compromised this way I would assume any and all credentials that the local user has there or on any remote system are in the hands of the attacker, and should be changed immediately. If the user had a pubkey they authenticated with they should change that as well. We've found our attackers are mostly sticking to user-level accounts, but that's likely just a matter of chance. Hope this helps. Cheers, Brian -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Sr. Network Security Analyst ITS Technology Security Services, New York University bsmithsweeney () nyu edu http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)